Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

How to count similar events per 5 minutes in a 60 minute search?

0

Hi, I'm trying to have a table of failed login attempts. The table shows all failed login attempts for the last 60 minutes but, I want to group similar attempts by device, username used, attempt from and reason for failure.

I've already managed to group them but, I don't want the table to show the count for similar events for the last 60 minutes. Instead, I want it to group by similar events for last 5 minutes WHILE showing all the attempts for the last 60 minutes. I'm not even sure this is possible. I tried bucket _time span=5m but, it still groups by the whole 60 minutes. Here's what I have so far;

EDIT: I've managed to get the bucket to work by changing stats count, first(_time) as "_time" by acddev, acduser, acdfrom, acdreason to stats count by _time, acddev, acduser, acdfrom, acdreason but, I don't want to show the time in 5 minute intervals, I want to show the time of the latest attempt in that group of events. Is this possible?

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.